#arpnetworks 2019-03-19,Tue

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)

WhoWhatWhen
mercutioodd so randomly sometimes it just doesn't work and 404s? [00:59]
......... (idle for 43mn)
***ziyourenxiang has joined #arpnetworks [01:42]
.................................................... (idle for 4h17mn)
mhoranOK, I think it was some combination of weird cached things and then redirects that weren't working. https://graphs.arpnetworks.com just redirects to arpnetworks.com, and I think the HSTS somewhere was then getting cached.
But if I go to https://graphs.arpnetworks.com/cacti/ it works.
(After clearing all my cache and history.)
[05:59]
....................................... (idle for 3h14mn)
***ziyourenxiang has quit IRC (Ping timeout: 246 seconds) [09:14]
.......... (idle for 46mn)
brycecFor me, https://graphs.arpnetworks.com does NOT redirect to arpnetworks.com, it redirects to /cacti/. Also, it's not serving an HSTS header.
But if I try http://graphs.arpnetworks.com
But if I try http://graphs.arpnetworks.com it DOES redirect to arpnetworks.com. (And no HSTS header in that response, or the response from https://arpnetworks.com)
^ I've had this same issue with portal.arpnetworks.com -- I type "portal.arpnetworks.com" in my browser and end up at https://arpnetworks.com, but if I make sure to type https://portal.arpnetworks.com I end up where I wanted to be.
Long story short... (portal|graphs).arpnetworks.com:80 really ought to redirecto the https://&:443 and _not_ https://arpnetworks.com, very jarring user experience
[10:00]
mhoran+1
Yeah I just presumed an HSTS header because of how it was behaving and I was confused.
[10:03]
brycecI think ARP used to have an HSTS header but with not all the subdomains setup for https, they pulled it because they weren't comfortable. [10:03]
............................................ (idle for 3h37mn)
mercutioi think hsts was only ever on the main web site
lg.arpnetworks.com doesn't have https
[13:40]
.... (idle for 18mn)
brycecRight, right. That's my recollection as well. BUT HSTS is typically recomended with "includeSubdomains" (IIRC) flag set so it causes browsers to assume *.arpnetworks.com are HSTS [13:59]
....................... (idle for 1h53mn)
mercutioah
to my mind what is better is when you get put into google etc with HSTS
like prepopulating
[15:52]
......... (idle for 40mn)
brycecmercutio: You're referring to https://hstspreload.org/ ?
Of course, the easy way into that is to just have a domain under a TLD that's preloaded.
[16:32]
mercutiolooks to be
i don't remember it being quite so easy
[16:33]
brycecIt's been quite that easy for a few years now :P [16:34]
mercutioit needs includesubdomains for that
maybe doing includesubdomains isn't such a bad idea, thoughts, up_the_irons ?
[16:34]
brycecmercutio: No there are whole TLDs that are on the list already. Like .dev and .vodka
I think arpnetworks.vodka has a nice ring to it
[16:38]
mercutiohaha
i didn't know that
[16:38]
brycec.google is another well-known (I think) [g]TLD that's on the HSTS list. With or without server headers, every web page served from a *.google domain is automatically HSTS'd, including all subdomains etc [16:39]
mercutioi didn't know there was a .google even
so many new TLD now!
tbh i don't pay much attention to domain names anymore
i use google to search for what i want generally
[16:39]
brycecoof the HSTS list has grown quite a bit since I last looked https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json
(Correction, .vodka is not on the HSTS list, I misread something)
[16:41]
mercutioi prefer gin
that's pretty cool
[16:48]
***ziyourenxiang has joined #arpnetworks [16:51]
.......................... (idle for 2h5mn)
ziyourenxiang has quit IRC (Remote host closed the connection) [18:56]

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)